CVE-2023-2618

OpenCV wechat_qrcode Module decoded_bit_stream_parser.cpp decodeHanziSegment memory leak

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A vulnerability, which was classified as problematic, has been found in OpenCV wechat_qrcode Module up to 4.7.0. Affected by this issue is the function DecodedBitStreamParser::decodeHanziSegment of the file qrcode/decoder/decoded_bit_stream_parser.cpp. The manipulation leads to memory leak. The attack may be launched remotely. The name of the patch is 2b62ff6181163eea029ed1cab11363b4996e9cd6. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-228548.

Eine problematische Schwachstelle wurde in OpenCV wechat_qrcode Module bis 4.7.0 entdeckt. Betroffen davon ist die Funktion DecodedBitStreamParser::decodeHanziSegment der Datei qrcode/decoder/decoded_bit_stream_parser.cpp. Dank Manipulation mit unbekannten Daten kann eine memory leak-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei über das Netzwerk erfolgen. Der Patch wird als 2b62ff6181163eea029ed1cab11363b4996e9cd6 bezeichnet. Als bestmögliche Massnahme wird Patching empfohlen.

It was discovered that OpenCV did not properly manage certain XML data, leading to a NULL pointer dereference. If a user were tricked into loading a specially crafted file, a remote attacker could possibly use this issue to make OpenCV crash, resulting in a denial of service. This issue only affected Ubuntu 18.04 LTS. It was discovered that OpenCV may perform out-of-bounds reads in certain situations. An attacker could possibly use this issue to cause OpenCV to crash, resulting in a denial of service, or the execution of arbitrary code. This issue only affected Ubuntu 18.04 LTS.

*Credits: Linkai Zheng, NanoApe

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-05-10 CVE Reserved
2023-05-10 CVE Published
2024-08-02 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-401: Missing Release of Memory after Effective Lifetime

CAPEC

References (3)

URL	Tag	Source
https://vuldb.com/?id.228548	Technical Description

URL	Date	SRC

URL	Date	SRC
https://github.com/opencv/opencv_contrib/pull/3484	2024-05-17
https://github.com/opencv/opencv_contrib/pull/3484/commits/2b62ff6181163eea029ed1cab11363b4996e9cd6	2024-05-17

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Opencv Search vendor "Opencv"		Opencv Search vendor "Opencv" for product "Opencv"				>= 4.5.2 < 4.8.0 Search vendor "Opencv" for product "Opencv" and version " >= 4.5.2 < 4.8.0"		-		Affected